ExchangeCve-2021-26855

Windowsv1

Author: Dennis Reneau

description

Exchange Server Vulnerability *.Compiled Files

paths

4 paths

AppsExchange Server Modified Compiled Files

C:\Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled

Highly dependent on Exchange configuration

AppsExchange Server Modified Compiled Files

C:\inetpub\wwwroot\aspnet_clientRegex:*.\b[a-zA-Z0-9_-]{8}\b.compiled

Highly dependent on Exchange configuration

AppsExchange Server Modified Compiled Files

C:\inetpub\wwwroot\aspnet_client\system_web\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled

Highly dependent on Exchange configuration

AppsExchange Server Modified Compiled Files

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled

Highly dependent on Exchange configuration

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: ExchangeCve-2021-26855
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Exchange Server Modified Compiled Files
Collect-Artifact -SourcePath "C:\Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"

# 2. Exchange Server Modified Compiled Files
Collect-Artifact -SourcePath "C:\inetpub\wwwroot\aspnet_client\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"

# 3. Exchange Server Modified Compiled Files
Collect-Artifact -SourcePath "C:\inetpub\wwwroot\aspnet_client\system_web\\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"

# 4. Exchange Server Modified Compiled Files
Collect-Artifact -SourcePath "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

Microsoft Exchange CVE-2021-26855

Identified *.compound files are modified XML files associated with malicious dll's.

https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/

Query for WebShell IOC's with randomized 8 character names preceding the .compiled file extension.

// description

// paths

// collection commands

// references

description

paths

collection commands

references